Hey Folks, in this post I want to share what things I would have done differently before I started in a SOC so you are not making the same mistakes as I :D.
SIEMS
SIEMs (Security Incident-Event Management) are amazing tools, they are the right hand of every SOC analyst. They help us collect and filter data, and create alerts, they are our eyes and ears in a system.
So my mistake here was trying to learn as many SIEMS as I could, I was learning Splunk for a month, then I switched to Elastic, then I touched some McAffee and in the end, I knew little to nothing about how to use them on an everyday basis. It helped me understand how they are functioning at a high level, but this had me lose a lot of time.
SIEM queries are like another language, and they are very lookalike, if you speak one then it will be a lot easier to learn a new one.
So my advice to all you inspiring SOC analysts, learn how a SIEM works at a high level then choose one and deep dive into it! You will thank me later 😉
Windows
We use Windows on a day-to-day basis, but we don’t mind about Sysinternals, processes, system calls and all that stuff (a very technical term I know) that Windows does for us in the background. If I could back in time I would have learnt more about Windows. Command Line utilities, a little bit a PowerShell, UAC, and processes.
Learning all these things on the fly was more than overwhelming and I couldn’t focus on more important things like searching for anomalous behaviour. I had to look up what smss.exe does, and what are the common processes and executables, on a windows OS.
And I am an analyst, not a DF/IR person! But we have to know the technology that we are working with.
My advice to all of you is that you have to familiarize yourself with the following Windows related topics to spot anomalies in an affected system:
- Windows file system (Where are the Users, programs, temp files, dlls, which files are world writable-readable?)
- Windows processes (winlogon.exe, smss.exe, explorer.exe, the basic ones, check their hashes as well so maybe you can spot a process migration)
- Windows command line (Convert your Linux knowledge: ls = dir, cat = more and so on)
- Common DLLs used by malware (Kernel32.dll, user32.dll, advapi32.dll..etc)
Malware Analysis
Every malware is different, nowadays we have malware families, not just a simple piece of code which can be identified by a signature. They can mutate, have different faces during execution, sleep to evade AV solutions and exploit developers can use obfuscation to hide them from the watching eyes of our defence systems.
Every malware related alert is different, sometimes you are seeing a lot of modification in the registrys and creating a bunch of processes, you stress out and after digging a bit you realize it’s just an installation of Teams or some other tool.
My advice is to learn the basic procedures of malware analysis and choose a sympathetic EDR solution with some samples to practice it.Ask the following questions:
- Where the file is located? (absolute path to the file, is it in a world-writable place or a common place like the Downloads folder)
- Which is the hash of the file, is it malicious? ( Use Virustotal or Kaspersky to check it)
- Where does it come from? (USB, email, CD…etc)
- Which process has initiatied it? (for example: chrome.exe, explorer.exe…etc)
- What the process/executable was trying to do? (Creating another processes, modifying registry, encrypting and so on)
That’s all I wanted to share at the moment, thanks for reading and have a wonderful day!☕
Also, if you like this post please consider following my page on LinkedIn:
